Re: [squid-users] --> problem with wb_ntlmauth !

From: Alex Carlos Braga Ant�o <[email protected]>
Date: Wed, 05 Nov 2003 09:55:54 -0300

Then, what would be my problem ???

I tested my wb_group and it is working too...
I think I forgot to put my configuration: Debian woody, Samba 2.2.8,
SQUID 2.5 STABLE4.

With just on request on the browser, I get:

look, I put debug_options 29,9 and debug_option 23,9 and debug_options
28,9 (Auth, Auth, ACL).

In my Log file there the following:
2003/11/05 10:45:13| aclCheckFast: list: 0x8250e58
2003/11/05 10:45:13| aclMatchAclList: checking all
2003/11/05 10:45:13| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/11/05 10:45:13| aclMatchIp: '<IP ADDRESS OMMITED>' found
2003/11/05 10:45:13| aclMatchAclList: returning 1
2003/11/05 10:45:13| aclCheck: checking 'http_access allow manager
localhost'
2003/11/05 10:45:13| aclMatchAclList: checking manager
2003/11/05 10:45:13| aclMatchAcl: checking 'acl manager proto cache_object'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny manager'
2003/11/05 10:45:13| aclMatchAclList: checking manager
2003/11/05 10:45:13| aclMatchAcl: checking 'acl manager proto cache_object'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny !Safe_ports'
2003/11/05 10:45:13| aclMatchAclList: checking !Safe_ports
2003/11/05 10:45:13| aclMatchAcl: checking 'acl Safe_ports port 21 70 80
81 83 85 210 280 443 488 563 591 777 1025-3027 3029-65535 4505 7443 8000
8080 8900'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny CONNECT
!SSL_ports'
2003/11/05 10:45:13| aclMatchAclList: checking CONNECT
2003/11/05 10:45:13| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access allow
UsuariosInternet GrupoInternet all'
2003/11/05 10:45:13| aclMatchAclList: checking UsuariosInternet
2003/11/05 10:45:13| aclMatchAcl: checking 'acl UsuariosInternet
proxy_auth REQUIRED'
2003/11/05 10:45:13| authenticateAuthenticate: broken auth or no
proxy_auth header. Requesting auth header.
2003/11/05 10:45:13| aclMatchAcl: returning 0 sending authentication
challenge.
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: requiring Proxy Auth header.
2003/11/05 10:45:13| aclCheck: match found, returning 2
2003/11/05 10:45:13| aclCheckCallback: answer=2
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: 0x8250910
2003/11/05 10:45:13| aclMatchAclList: checking all
2003/11/05 10:45:13| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/11/05 10:45:13| aclMatchIp: '<IP ADDRESS OMMITED>' found
2003/11/05 10:45:13| aclMatchAclList: returning 1
2003/11/05 10:45:13| aclCheckFast: list: 0x8250e58
2003/11/05 10:45:13| aclMatchAclList: checking all
2003/11/05 10:45:13| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/11/05 10:45:13| aclMatchIp: '<IP ADDRESS OMMITED>' found
2003/11/05 10:45:13| aclMatchAclList: returning 1
2003/11/05 10:45:13| aclCheck: checking 'http_access allow manager
localhost'
2003/11/05 10:45:13| aclMatchAclList: checking manager
2003/11/05 10:45:13| aclMatchAcl: checking 'acl manager proto cache_object'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny manager'
2003/11/05 10:45:13| aclMatchAclList: checking manager
2003/11/05 10:45:13| aclMatchAcl: checking 'acl manager proto cache_object'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny !Safe_ports'
2003/11/05 10:45:13| aclMatchAclList: checking !Safe_ports
2003/11/05 10:45:13| aclMatchAcl: checking 'acl Safe_ports port 21 70 80
81 83 85 210 280 443 488 563 591 777 1025-3027 3029-65535 4505 7443 8000
8080 8900'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny CONNECT
!SSL_ports'
2003/11/05 10:45:13| aclMatchAclList: checking CONNECT
2003/11/05 10:45:13| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access allow
UsuariosInternet GrupoInternet all'
2003/11/05 10:45:13| aclMatchAclList: checking UsuariosInternet
2003/11/05 10:45:13| aclMatchAcl: checking 'acl UsuariosInternet
proxy_auth REQUIRED'
2003/11/05 10:45:13| authenticateAuthenticate: header NTLM <A NOT TOO
BIG STRING OMMITED>.
2003/11/05 10:45:13| authenticateAuthenticate: This is a new checklist
test on FD:31
2003/11/05 10:45:13| authenticateAuthenticate: no connection
authentication type
2003/11/05 10:45:13| aclMatchAcl: returning 0 sending credentials to helper.
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking password via authenticator
2003/11/05 10:45:13| aclCheck: checking 'http_access allow
UsuariosInternet GrupoInternet all'
2003/11/05 10:45:13| aclMatchAclList: checking UsuariosInternet
2003/11/05 10:45:13| aclMatchAcl: checking 'acl UsuariosInternet
proxy_auth REQUIRED'
2003/11/05 10:45:13| authenticateAuthenticate: header NTLM <A NOT TOO
BIG STRING OMMITED>.
2003/11/05 10:45:13| aclMatchAcl: returning 0 sending authentication
challenge.
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: requiring Proxy Auth header.
2003/11/05 10:45:13| aclCheck: match found, returning 2
2003/11/05 10:45:13| aclCheckCallback: answer=2
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: 0x8250910
2003/11/05 10:45:13| aclMatchAclList: checking all
2003/11/05 10:45:13| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/11/05 10:45:13| aclMatchIp: '<IP ADDRESS OMMITED>' found
2003/11/05 10:45:13| aclMatchAclList: returning 1
2003/11/05 10:45:13| aclCheck: checking 'http_access allow manager
localhost'
2003/11/05 10:45:13| aclMatchAclList: checking manager
2003/11/05 10:45:13| aclMatchAcl: checking 'acl manager proto cache_object'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny manager'
2003/11/05 10:45:13| aclMatchAclList: checking manager
2003/11/05 10:45:13| aclMatchAcl: checking 'acl manager proto cache_object'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny !Safe_ports'
2003/11/05 10:45:13| aclMatchAclList: checking !Safe_ports
2003/11/05 10:45:13| aclMatchAcl: checking 'acl Safe_ports port 21 70 80
81 83 85 210 280 443 488 563 591 777 1025-3027 3029-65535 4505 7443 8000
8080 8900'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access deny CONNECT
!SSL_ports'
2003/11/05 10:45:13| aclMatchAclList: checking CONNECT
2003/11/05 10:45:13| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking 'http_access allow
UsuariosInternet GrupoInternet all'
2003/11/05 10:45:13| aclMatchAclList: checking UsuariosInternet
2003/11/05 10:45:13| aclMatchAcl: checking 'acl UsuariosInternet
proxy_auth REQUIRED'
2003/11/05 10:45:13| authenticateAuthenticate: header NTLM <A VERY BIG
STRING OMMITED>.
2003/11/05 10:45:13| authenticateAuthenticate: This is a new checklist
test on FD:31
2003/11/05 10:45:13| aclMatchAcl: returning 0 sending credentials to helper.
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: checking password via authenticator
2003/11/05 10:45:13| aclCheck: checking 'http_access allow
UsuariosInternet GrupoInternet all'
2003/11/05 10:45:13| aclMatchAclList: checking UsuariosInternet
2003/11/05 10:45:13| aclMatchAcl: checking 'acl UsuariosInternet
proxy_auth REQUIRED'
2003/11/05 10:45:13| authenticateAuthenticate: header NTLM <A VERY BIG
STRING OMMITED>.
2003/11/05 10:45:13| aclMatchAcl: returning 0 sending authentication
challenge.
2003/11/05 10:45:13| aclMatchAclList: no match, returning 0
2003/11/05 10:45:13| aclCheck: requiring Proxy Auth header.
2003/11/05 10:45:13| aclCheck: match found, returning 2
2003/11/05 10:45:13| aclCheckCallback: answer=2
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: (nil)
2003/11/05 10:45:13| aclCheckFast: no matches, returning: 1
2003/11/05 10:45:13| aclCheckFast: list: 0x8250910
2003/11/05 10:45:13| aclMatchAclList: checking all
2003/11/05 10:45:13| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/11/05 10:45:13| aclMatchIp: '<IP ADDRESS OMITTED>' found
2003/11/05 10:45:13| aclMatchAclList: returning 1

And my squid.conf file has :

auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth DOMAIN
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 6
auth_param basic realm Formato: DOMAIN\usuario
auth_param basic credentialsttl 2 hour

external_acl_type GrupoAD ttl=2400 negative_ttl=30 concurrency=5 %LOGIN
/usr/local/squid/libexec/wb_group

acl UsuariosInternet proxy_auth REQUIRED
acl GrupoInternet external GrupoAD internet

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow UsuariosInternet GrupoInternet all
Received on Wed Nov 05 2003 - 04:54:14 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:07 MST